Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Auth. Maint. for PA20 and PA30

Former Member
0 Kudos

Dear Experts,

We want to authorize a user with PA20 to display HR master data for certain infotypes and Maintain HR master data for some other infotypes using PA30. The problem is a single auth object controls both the tcodes. Hence the the user get Change Authorization for all the infotypes mentioned for PA20 and PA30. I even tried creating 2 different roles for the tcodes but did not get any help.

please advice how this objective can be achieved...

Regards,

Prashant P.

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos

The user needs:

1: Display access to all infotypes to be seen (including the ones to be edited in PA30)

2: Change access to the infotypes he/she must edit with PA30

3: Access to tcodes PA20 and PA30

As you correctly stated, points 1 and 2 are covered by the same object.

To achieve points 1 and 2 without them interfering with each other the role needs two instances of the object that controls the infotypes, P_ORGIN (or P_ORGINCON, depending on your configuration) , one with read access, and one with write access. Put the respective infotypes in the objects and note that some may occur in both if they are to be read as well as edited.

In P_ORGIN the AUTHC field for object 1 is set to R and M and the AUTHC field for object 2 is set to W. Other values are posisble and I advise you to look for "AUTHC values" in SAPhelp.

Hope this helps

Jurjen

I see I've been beaten to it this time, oh well. Both advises are more or less the same anyway

Edited by: Jurjen Heeck on Feb 14, 2008 8:31 AM

5 REPLIES 5

Former Member
0 Kudos

Hi,

You won't be able to restrict which infotypes are displayed via a transaction and maintained via another like PA30. Also, the access provided to a user through a number of roles is cumulative and the role will not separate the access to specific transactions if authorisation is provided by common objects.

First thing would be to take a look at the auth level you have assigned to the object. In the same role you would have two authorisations for P_ORGIN - one with auth level R & M for the infotypes to display, and one with E, D, W or * for the infotypes to be maintained.

Alternatively, if you are using the context solution the same solution would apply to object P_ORGINCON but you will need to ensure that the structural profiles assigned to each object are aligned with authorisations assigned i.e. structural profile for display access does not contain maintain access.

If you have activated P_PERNR then ensure these authorisations match up to the to the P_ORGIN or P_ORGINCON.

Hope this helps.

Regards

jurjen_heeck
Active Contributor
0 Kudos

The user needs:

1: Display access to all infotypes to be seen (including the ones to be edited in PA30)

2: Change access to the infotypes he/she must edit with PA30

3: Access to tcodes PA20 and PA30

As you correctly stated, points 1 and 2 are covered by the same object.

To achieve points 1 and 2 without them interfering with each other the role needs two instances of the object that controls the infotypes, P_ORGIN (or P_ORGINCON, depending on your configuration) , one with read access, and one with write access. Put the respective infotypes in the objects and note that some may occur in both if they are to be read as well as edited.

In P_ORGIN the AUTHC field for object 1 is set to R and M and the AUTHC field for object 2 is set to W. Other values are posisble and I advise you to look for "AUTHC values" in SAPhelp.

Hope this helps

Jurjen

I see I've been beaten to it this time, oh well. Both advises are more or less the same anyway

Edited by: Jurjen Heeck on Feb 14, 2008 8:31 AM

0 Kudos

Hi Jurjen,

Would it be possible to add an object in P_ORGIN object say 'org unit' or so and control the authorization.

Or is to possible to add some object for Personal Sub Area. for PA20/PA30.

Regards,

prashant

0 Kudos

>

> Would it be possible to add an object in P_ORGIN object say 'org unit' or so and control the authorization.

I don't really see what you mean by adding an object in an object. You cannot add fields to an existing SAP object.

If you want authorizations to work for parts of your organization you'll have to look into structural authorizations and possibly the use of P_ORGINCON. That does require studying as the subject of structural authorizations is all but simple.

> Or is to possible to add some object for Personal Sub Area. for PA20/PA30.

Same as above remark, you'll have to do with the fields available. Maybe the employee group and subgroup are usable for your goal.

Jurjen

0 Kudos

perhaps it's a possibility to check the functionality for authorizing through organizational key (VDSK1)?

this allows a litlle more flexibility for what 'objects' you want to authorize on.

have a look at the below link:

[VDSK1 - organizational key|http://help.sap.com/erp2005_ehp_02/helpdata/en/17/4bba3b3bf00152e10000000a114084/content.htm]